[Dev] Policy for Package Quarantines

Luke Shumaker lukeshu at lukeshu.com
Sat Apr 15 01:36:25 GMT 2017

On Fri, 14 Apr 2017 18:28:50 -0400,
Nicolás A. Ortega wrote:
> My proposal is the following: when someone brings up a freedom issue (or
> even privacy, for that matter) they should also links to the information
> that lead them to this conclusion, once we see that these links have
> something behind them (a quick skim through the links) we can put in
> place the temporary quarantine of the package. After this point all
> information regarding the freedom issues with the package should be
> concentrated in one place (public place where everyone can see it) and a
> more thorough investigation of the matter (finding exact files that are
> non-free) should take place. If no actual evidence is found or the
> evidence has *all* been countered after X amount of time (I think a
> month or two should do) then the package is taken out of quarantine
> until more concrete evidence can be found. If evidence is found and
> cannot be countered then the package is labelled permanently as non-free
> until either upstream fixes the freedom issues (which *should be
> reported to upstream when found*) or we create a -libre package for it.

As attractive as that proposal is, it doesn't allow for quickly
handling uncontroversially nonfree packages.

And really, the Parabola dev community hasn't generally been receptive
to big ol' processes they have to step through.

> The most important thing I want to be taken away from this is that
> information on the freedom issues of a package should be *easily
> available*. I shouldn't have to be asking absolutely everyone in the
> community who has the actual links so I can verify for my own eyes.
> What's more, the more eyes we have on the issue the more information we
> can obtain and the faster we can solve things.

qt5-webengine was actually one of the better cases.  There have been
packages blacklisted with *no* public discussion or documentation (for
example, libglvnd).

In blacklist.txt, there is a field for a 'ref' referencing Debian,
LibrePlanet, Savannah, Fedora, or Parabola (our bug tracker), for
where you can read about justification for it being blacklisted.

Perhaps we should make this field mandatory?

Happy hacking,
~ Luke Shumaker

More information about the Dev mailing list